Public API endpoints
IBM® QRadar® Use Case Manager provides APIs that you can use to interact with the data.
Use Case Explorer
Generate and download report data in CSV or JSON formats.
Endpoint | Description |
---|---|
POST: /api/use_case_explorer | Generates a Use Case Explorer report. |
GET: /api/use_case_explorer/{reportId}/status | Checks the status of a Use Case Explorer report. |
GET: /api/use_case_explorer/{reportId}/result | Returns the results of the Use Case Explorer result as a JSON array page by page. |
POST: /api/use_case_explorer/{reportId}/download_csv | Starts a job to download a Use Explorer report as a CSV file. |
GET: /api/use_case_explorer/download_csv/{jobId}/status | Checks the status of a Use Case Explorer CSV file download job. |
GET: /api/use_case_explorer/download_csv/{jobId}/result | Returns the results of the Use Case Explorer download CSV job. |
POST: /api/use_case_explorer/{reportId}/download_json | Starts a job to download Use Case Explorer report as a JSON file. |
GET: /api/use_case_explorer/download_json/{jobId}/status | Checks the status of a Use Case Explorer JSON file download job. |
GET: /api/use_case_explorer/download_json/{jobId}/result | Returns the results of the Use Case Explorer download JSON job. |
POST: /api/rules_export/html/{reportId}/download_report | Starts a job to download Use Case Explorer rules as a compressed HTML report. Important: Requires passing the same SEC token as QRadar Use Case
Manager in the request
header.
|
GET: /api/rules_export/html/download_report/{jobId}/status | Checks the status of a Use Case Explorer compressed HTML report download job. |
GET: /api/rules_export/html/download_report/{jobId}/result | Returns the results of the Use Case Explorer download compressed HTML report job. |
Log source coverage
Get information about rule-log source type activity and coverage.
Endpoint | Description |
---|---|
GET: /api/log_source_types/activity_and_current_rules_count | Returns information on rule-log source type activity and current coverage. |
GET: /api/log_source_types/current_and_potential_rules_count | Returns information on current and potential rule-log source type coverage. |
MITRE endpoints
Get information about rule mappings. Create custom adversary groups and map them to existing tactics and techniques. Upload custom MITRE group-technique files.
Endpoint | Description |
---|---|
POST: /api/custom_mitre_group_technique | Upload a custom MITRE group-technique file. |
GET: /api/mappings | Returns all MITRE ATT&CK rule mappings in QRadar Use Case Manager. |
POST: /api/mappings | Imports previously created mappings into QRadar Use Case
Manager. Important: Requires passing the same SEC token as QRadar Use Case
Manager in the request
header.
|
DELETE: /api/mappings | Deletes any customized rule mappings in QRadar Use Case
Manager and resets the mappings
back to the IBM default. Important: Requires passing the same SEC token as QRadar Use Case
Manager in the request
header.
|
GET: /api/mappings/by_name | Returns the rule mappings in QRadar Use Case Manager. |
POST: /api/mappings/by_name | Creates new rule mappings in QRadar Use Case Manager. |
DELETE: /api/mappings/by_name | Deletes the rule mappings in QRadar Use Case
Manager by rule ID. Important: Requires passing the same SEC token as QRadar Use Case
Manager in the request
header.
|
GET: /api/mitre/mitre_coverage/{ruleUUID} | Returns all rule and child mappings in QRadar Use Case Manager by rule UUID. |
GET: /api/mappings/tactics | Returns all MITRE ATT&CK tactics and techniques in QRadar Use Case Manager. |
GET: /api/mappings/tactics/{tactic_id} | Returns all the techniques for the requested MITRE ATT&CK tactic in QRadar Use Case Manager. |
GET: /api/mappings/numbers_by_tactic | Returns the number of MITRE ATT&CK rule mappings per tactic in QRadar Use Case Manager. |
GET: /api/mappings/trends | Returns the number of MITRE ATT&CK rule mappings in QRadar Use Case Manager per day since the specified time. |
Tuning findings
Get information about tuning findings.
Endpoint | Description |
---|---|
GET: /api/rule/findings | Gets all the tuning findings. |
GET: /api/rule/findings/{ruleId}/findingsByRuleId | Returns all tuning findings for a specific rule ID. |
Active rules chart APIs
Get information about the List of closed offenses by reason and Overview of active rules charts.
Element | Description |
---|---|
GET: /api/rule/offense_count | Returns the Job ID, which can be used to fetch all rules with offense count. |
GET: /api/rule/offense_count/{job_id}/status | Returns the status of rule-offense count API call. |
GET: /api/rule/offense_count/{job_id}/results | Returns the result of a rule-offense count API call. |
GET: /api/offenses | Returns the Job ID, which can be used to fetch the list of all offenses. |
GET: /api/offenses/{job_id}/status | Returns the status of offenses API call. |
GET: /api/offenses/{job_id}/results | Returns the result of offenses API call. |
GET: /api/offenses/closing_reasons | Returns all offense closing reasons. |
Example
The following example shows a request that passes the SEC token in the header.
curl -i -k -X 'POST' 'https://xxxxxx/console/plugins/app_proxy:UseCaseManager_Service/api/mappings/by_name?rule_id=234567' -H 'accept: application/json' -H 'sec:xxxxxx'
where -H 'sec:xxxxxx'
is the same SEC token that is used in QRadar Use Case
Manager.